Determining what process has bound a port (without listening) on Windows

If I want to find out what process is listening on what socket, I can use netstat/TCPview and will immediately see it. However, it is possible to bind to an address without listening. If this is done, it does not show up in netstat/TCPview, but does block the socket.

Python example:

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('0.0.0.0',12345))

The port is now bound, and attempting to execute the same code in a second instance while the first is still running will result in an error. However, unless you actually start listening on that port using

s.listen(1)

the port does not show up in netstat/TCPview.

The question is: Is it possible to see what ports are bound (but not listening), and which process is binding them?

The background of this is that I ~~have~~ had a moving range of 1976 ports that cannot be bound, and I want to know what causes this. In the meantime, I determined through trial and error that Internet Connection Sharing was blocking those ports, but I am still curious about the answer to this question.

Edit: Due to popular request, here is the code I used to find those ports:

import time
import socket

for i in range(0,65536):
    try:
        print "Listening on port", i, '...', 
        serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        serversocket.bind(('0.0.0.0', i))
        serversocket.listen(5)
        #time.sleep(0.1)
        serversocket.close()
        print "ok"
    except:
        print "FAIL"

(you may want to pipe the output to grep and filter for FAIL only)

Jan Schejbal

Posted 2013-02-26T15:12:30.990

Reputation: 1 014

You can loop this script from 0 to 65535, log the ports it fails on and compare the result with netstat ports. The ones not listed in netstat should be what you are looking for. I don't know of any tool or technique that will show you what process is behind those ports, unless it is listening. – Kedar – 2013-03-15T09:15:37.910

@Kedar: That is exactly what I did to find out which ports are affected. – Jan Schejbal – 2013-03-15T14:53:42.447

@Lizz: Code posted. – Jan Schejbal – 2013-03-21T11:50:26.517

could you post it as the answer? would be good to have as reference :) – Lizz – 2013-03-21T15:35:31.437

@Lizz: It is not an answer to the question. It shows which ports are affected, but not what is occupying them. – Jan Schejbal – 2013-03-21T23:32:08.973

Answers

you should use

DWORD GetExtendedTcpTable (PVOID pTcpTable,PDWORD pdwSize, BOOL bOrder, ULONG ulAf, TCP_TABLE_CLASS TableClass,ULONG Reserved );

with

TableClass value = TCP_TABLE_OWNER_PID_ALL "or" TCP_TABLE_OWNER_PID_CONNECTIONS "or" TCP_TABLE_OWNER_PID_LISTENER

pTcpTable structure -> MIB_TCPTABLE_OWNER_PID

depending on the info you'd like to retrieve

EDIT:

TCP_TABLE_OWNER_PID_ALL returns MIB_TCPTABLE_OWNER_PID structure that is an array of MIB_TCPROW_OWNER_PID structures where each dwState should have MIB_TCP_STATE_CLOSED when bound and not listening, this structure also offers dwLocalAddr and dwLocalPort

typedef struct _MIB_TCPROW_OWNER_PID {
  DWORD dwState;
  DWORD dwLocalAddr;
  DWORD dwLocalPort;
  DWORD dwRemoteAddr;
  DWORD dwRemotePort;
  DWORD dwOwningPid;
} MIB_TCPROW_OWNER_PID, *PMIB_TCPROW_OWNER_PID;

Pat

Posted 2013-02-26T15:12:30.990

Reputation: 2 593

This only lists sockets that are both bound and listening, but the question was specifically about sockets that are bound but not listening. – Luke Dunstan – 2018-01-04T08:30:29.170

are you asserting or asking??? see the edit – Pat – 2018-01-04T10:27:06.747

When I run https://pastebin.com/vaHMVRQR I get nothing in the table for bind without listen (Win7)

– Luke Dunstan – 2018-01-08T02:06:29.930

The involved structures have particular alignments, you should not re-define them; you should reference the ones that are defined by MS. Also if you want to initially test a MS API Python is not the right tool; you should use C/C++ instead. – Pat – 2018-01-08T08:08:37.963

the code as displayed does not give information about sockets that are bound but unconnected; in recent versions of netstat there is now a command line parameter -q that shows those sockets – zentrunix – 2019-02-10T09:25:04.250

In recent versions of netstat there is now a command line parameter -q that shows those sockets.

$ netstat -?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-x] [-t] [interval]

  -a            Displays all connections and listening ports.
  -b            Displays the executable involved in creating...
  ...
  -p proto      Shows connections for the protocol specified...
  -q            Displays all connections, listening ports, and bound
                nonlistening TCP ports. Bound nonlistening ports may or may not
                be associated with an active connection.
  -r            Displays the routing table.
  ...

Example of use:

$ netstat -nq -p tcp

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:7              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:9              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:13             0.0.0.0:0              LISTENING
  ...

 TCP    192.168.122.157:50059  54.213.66.195:443      ESTABLISHED
  TCP    0.0.0.0:49676          0.0.0.0:0              BOUND
  TCP    0.0.0.0:49700          0.0.0.0:0              BOUND
  TCP    0.0.0.0:49704          0.0.0.0:0              BOUND
  TCP    0.0.0.0:49705          0.0.0.0:0              BOUND
  ...

It seems there is no public API for getting the sockets in that situation. See my question in StackOverflow.

zentrunix

Posted 2013-02-26T15:12:30.990

Reputation: 101